Healthcare Data Privacy

Could Law Firms Targeting Patients in ER Rooms Using Geofencing Technology Violate HIPAA?

Questions are being raised about whether HIPAA Rules are being violated when attorneys send text messages and push notifications to patients who have visited emergency rooms and other medical facilities using geofencing technology.

Marketers are using a range of clever tactics to sell products and services such as remarketing – The displaying of advertisements on websites to individuals who have previously viewed products on another website but not made a purchase.

Similarly, the use of geofencing is growing in popularity. Geofencing is the creation of a digital fence around a specific location. When an individual crosses that invisible boundary, a push notification is sent to the users mobile phone. That location could be a store or any location. Retailers have been using the technology for some time, Google sends push notifications based on location, and now attorneys are getting in on the act.

This tactic of targeting specific individuals is being offered by at least one digital marketing firm and the service is being offered to attorneys. In this case the geofence is around healthcare facilities, specifically emergency rooms. When an individual enters the ER, they are sent a push notification through their phone offering them legal assistance.

NPR reports that Tell All Digital, a New York marketing firm, has been offering this service to law firms and there is no shortage of takers. It is one of the biggest growth areas for the firm and lawyers from several states are trialling the marketing tactic.

The benefits to attorneys are clear. The technology allows the attorney to be virtually in an Emergency Room or healthcare facility targeting individuals who have more than likely been injured. They are sent advertisements about the option of making a personal injury claim. While only a percentage of patients will have a valid claim, it certainly improves the odds of finding a prospective client.

As with remarketing, an individual can be targeted with adverts for a set period after the visit. Potentially ads or messages could be received for up to a month after a visit to an emergency room, according to the NPR report.

While it is certainly an innovative way for attorneys to find clients that have a higher than average chance of qualifying for a personal injury claim, many view this as an invasion of privacy. But could this also constitute a violation of HIPAA?

HIPAA Rules apply to healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA covered entities. While attorneys can certainly be business associates, HIPAA Rules would be unlikely to apply in this case.

HIPAA covered entities are not supplying any protected health information, the only information that is being supplied is the fact that an individual is in a medical facility, and that information is not passed over by any healthcare company.

While this tactic may not be a violation of HIPAA Rules, it could certainly violate state laws or federal laws other than HIPAA. NPR cites a settlement that was reached last year over similar tactics used by an advertising company to target women who had visited reproductive healthcare facilities. In that case, Copley Advertising set geofences around reproductive health centers and methadone clinics. They were sent messages such as ‘Pregnancy Help’, ‘You Have Choices’, and ‘You Are Not Alone’, with the clients including a Christian pregnancy counselling and adoption agency.

Massachusetts’ attorney general Maura Healey took action and reached a settlement with the advertising agency over potential violations of state consumer protection laws, which the use of geofencing allegedly violated. Under the settlement, Copley was prohibited from using geofencing technology in the state of Massachusetts at or near healthcare facilities to infer the health status or medical conditions of individuals. Healey claimed the actions were tantamount to digital harassment.

Whether the practice violates state laws is open to interpretation, although as the practice appears to be gaining momentum, regulators may have to step in, certainly with respect to visits to healthcare facilities.

While this may not be a matter for the HHS to deal with, it could be dealt with at the state level or it is possible this is more in the realm of the Federal Trade Commission. However, whether the practice actually violates any laws is unclear. What is clear is that unless action is taken, the practice will continue, and its popularity will likely grow.

The post Could Law Firms Targeting Patients in ER Rooms Using Geofencing Technology Violate HIPAA? appeared first on HIPAA Journal.

Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach

There have been further developments in the ongoing legal battles over a 2017 privacy breach experienced by Aetna involving the exposure of patients’ sensitive health information. A further lawsuit has been filed by the insurer in an attempt to recover the costs incurred as a result of the breach.

Ongoing Legal Battles Over the Exposure of Patients’ HIV Statuses

In 2017, the health insurer Aetna experienced a data breach that saw highly sensitive patient information impermissibly disclosed to other individuals. A mailing vendor sent letters to patients using envelopes with clear plastic windows and information about HIV medications were allegedly visible. The mailings related to HIV medications used to treat patients who had already contracted HIV and individuals who were taking drugs as pre-exposure prophylaxis. Approximately 12,000 patients received the mailing.

Lawsuits were filed on behalf of patients whose HIV positive status was impermissibly disclosed, which were settled in January for $17.2 million. A settlement was agreed with the New York state attorney general for a further $1.15 million to resolve the privacy violations.

Following on from those settlements, Aetna attempted to recover the cost of the settlements from Kurtzman Carson Consultants, the administrator who allegedly directed the mailing vendor to send the letters to patients that exposed their PHI. Aetna maintains that Kurtzman Carson Consultants did not communicate to Aetna that the mailing was being sent using windowed envelopes. The lawsuit is ongoing.

Further Lawsuit Filed Against Two Firms Representing Breach Victims

Now a lawsuit has been filed by Aetna against the law firm Whatley Kallas and the Californian advocacy group Consumer Watchdog in an attempt to recover at least part of the $20 million in settlements already paid. Consumer Watchdog and Whatley Kallas represented patients in a previous case that led to the sending of the notification letters that exposed patients’ sensitive information.

The privacy breach that led to the $20 million settlement occurred in response to a previous privacy incident that Aetna was sued over. That initial privacy breach related to a requirement for patients who had been prescribed HIV medication to receive the drugs by mail rather than collecting them in person. Since the drugs need to be kept refrigerated, and are dispatched in refrigerated containers, it was alleged that this would violate patients’ privacy as it would be clear to neighbors and co-workers that HIV drugs were being delivered.

The latest lawsuit alleges the plaintiffs were responsible for requiring Aetna to send sensitive information to the Kurtzman Carson Consultants, which Aetna was against and that after that information was passed to Kurtzman Carson Consultants, the plaintiffs failed to ensure the confidential information was protected.

Whatley Kallas had recommended using Kurtzman Carson Consultants and Consumer Watchdog were involved to make sure Aetna made good on its promise to change the requirements for patients to have the drugs sent by mail.

Harvey Rosenfield and Jerry Flanagan of Consumer Watchdog explained to Reuters, that they “edited the text of the letter to make sure we held Aetna’s feet to the fire,” but did not receive any protected health information and were not aware that windowed envelopes were being used and maintain Aetna is making “frivolous claims.”

“If Aetna believes that an attack on lawyers for Consumer Watchdog and Whatley Kallas LLP will be a cost-free exercise in retaliation, it is deeply mistaken,” wrote Rosenfield and Flanagan in a letter to the insurer, concluding “Aetna would be well advised to focus on remediation of its privacy practices on a nationwide basis as we are seeking in this action, instead of pursuing abusive and retaliatory tactics that seek to evade liability for its own failings and suggest that Aetna still does not take responsibility for ensuring that its customers’ private medical information is protected.”

While this may appear to be a case of passing the buck at face value, the case is not as frivolous as it may sound. According to Aetna, the law firm representing the plaintiffs in the original case were allegedly party to a proposal that stated windowed envelopes were going to be used, but the law firm failed to raise a red flag.

The post Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach appeared first on HIPAA Journal.

OCR Reminds Covered Entities Not to Overlook Physical Security Controls

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reminded covered entities that HIPAA not only requires technical controls to be implemented to ensure the confidentiality, integrity, and availability of protected health information, but also appropriate physical security controls.

Physical controls are often the simplest and cheapest forms of protection to keep PHI private and confidential, yet these security controls are often overlooked. Some physical security controls cost nothing – such as ensuring portable electronic devices (laptop computers, portable storage devices, and pen drives) are locked away when they are not in use.

While this is a very basic form of security, it is one of the most effective ways of preventing theft and one that can prove incredibly costly if overlooked. OCR draws attention to a 2015 HIPAA breach settlement with Lahey Hospital and Medical Center. An unencrypted laptop computer was stolen from the Tufts Medical School affiliated teaching hospital resulting in the exposure 599 patients’ ePHI.

The laptop computer was used in connection with a computerized tomography (CT) scanner. The laptop was in an unlocked treatment room off an inner corridor of the radiology department. Lahey Hospital settled the case for $850,000. A high price to pay for failing to implement a free physical security control.

In 2014, QCA Health Plan agreed to settle potential HIPAA violations with OCR for $250,000. QCA Health plan failed to implement physical safeguards for all workstations to restrict access to ePHI to authorized users only. In that case, the workstation was an unencrypted laptop computer that was stolen from the vehicle of an employee.

In 2012, Massachusetts Eye and Ear Infirmary (MEEI) settled a HIPAA violation case with OCR for $1.5 million. This was another case of an unencrypted laptop computer being stolen that resulted in the impermissible disclosure of ePHI.

In 2016, OCR settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. Feinstein Institute had failed to physically secure a laptop computer containing the ePHI of 13,000 patients. The device was also stolen from the vehicle of an employee.

In July 2016, University of Mississippi Medical Center settled a case with OCR for $2,750,000. An unencrypted laptop computer containing the ePHI of an estimated 10,000 patients was stolen from its Medical Intensive Care unit.

HIPAA requires covered entities and their business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.” Workstations include desktop computers, laptops, and other computing devices including portable storage devices, smartphones, and tablets.

It is up to HIPAA-covered entities and their business associates to decide on the most appropriate physical security controls to implement, which should be based on their risk analyses and risk management process.

Common physical security controls used to secure electronic devices and ePHI include:

  • Positioning desks to ensure screens cannot be easily viewed by anyone other than the user of a workstation
  • Privacy screens to prevent shoulder surfing
  • Cable locks to prevent electronic devices containing ePHI from being stolen
  • The use of security cameras to deter theft of electronic devices and physical PHI
  • Use of signage to remind employees about the need to use physical security controls
  • Use of port and device locks to prevent CD/DVD drives and USB connections from being used on workstations to copy ePHI and install unauthorized software.

The importance of preventing the use of USB drives by staff was highlighted in a recent study by Dtex Systems into insider threats. While the study was not conducted specifically on healthcare organizations, it did reveal that 90% of the risk assessments conducted on its customers and prospective customers revealed employees were transferring data to unencrypted USB devices.

As OCR explained in its May 2018 cybersecurity newsletter, “While the latest security solutions to combat new threats and vulnerabilities get much deserved attention, appropriate physical security controls are often overlooked.  Yet physical security controls remain essential and often cost-effective components of an organization’s overall information security program.”

The post OCR Reminds Covered Entities Not to Overlook Physical Security Controls appeared first on HIPAA Journal.

Lack of Visibility into Employee Activity Leaves Organizations Vulnerable to Data Breaches

The 2018 Insider Threat Intelligence Report from Dtex Systems shows how a lack of visibility into employee activities is preventing security teams from acting on serious data security threats.

The report is based on data gathered from risk assessments performed on the firm’s customers and prospective customers. Those risk assessments highlighted just how common it is for employees to attempt to bypass security controls, download shadow IT, and violate company policies.

If your risk assessment has identified employees attempting to bypass security controls, you are not alone. According to the Dtex Systems report, 60% of risk assessments uncovered attempts by employees to bypass an organization’s security controls, use of private and anonymous browsers, or cases where employees had researched how to bypass security controls.

In most cases, employees are attempting to bypass security controls to gain access to websites that breach acceptable internet usage policies – such as adult content, gaming, and gambling sites, and to access P2P file sharing websites. 67% of companies discovered inappropriate Internet use. It is also common for employees to try to download shadow IT to make their jobs easier – use of tools such as Dontsleep, Caffeine, WireShark, or SnippingTool is common, even though those programs are prohibited.

While there may not be any malicious intent, these actions jeopardize security and could easily result in the accidental disclosure of sensitive information or malware infections. Programs such as open VPN tools and CCleaner are also commonly downloaded – both of which are an indicator of employees attempting to cover their tracks, potentially to hide malicious activities.

72% of risk assessments determined at least some employees were using high-risk applications or hacking tools and 90% of risk assessments showed employees were transferring data to unencrypted USB devices. 78% of companies also discovered company data that were publicly accessible online due to mistakes made by employees.

The 2018 Verizon Data Breach Investigations Report showed almost a third of the 2,216 confirmed breaches were caused by insiders and insider data breaches are far more common in the healthcare industry. Typically, in any given month, more healthcare industry data breaches are caused by insiders than breaches caused by external threat actors.

While technological controls can be implemented to improve security, it is important not to neglect the human element. Security awareness training shows employees how certain behaviors can easily result in a data breach; however, employees are often aware that certain actions increase risk, yet they still engage in risky activities. Many employees do not think that their actions will result in a data breach and carry on taking risks. They rely on IT teams to address cybersecurity and take no personal responsibility for helping to keep their company’s systems and data secure.

Security teams can take steps to reduce risk, but unless they have visibility into what their employees are doing they will not know the extent of risk taking by employees are could remain blind to these potentially dangerous activities.

Unfortunately, no single solution can be used to protect against insider threats. Only by using a range of solutions will healthcare organizations be able to tackle the problem of insider data breaches.

In addition to performing regular risk analyses to identify potential threats, Dtex Systems suggests the use of Security Information and Event Management (SIEM), user behavior analytics, and data loss prevention technologies. Additionally, employee monitoring solutions and user behavior intelligence are required to highlight abnormal activities and suspicious behavior. Such solutions will help security teams identify insider threats and take action before they lead to a data breach.

The post Lack of Visibility into Employee Activity Leaves Organizations Vulnerable to Data Breaches appeared first on HIPAA Journal.

HITRUST Now Offers NIST Cybersecurity Framework Certification

The security and privacy standards development and accreditation organization HITRUST has started offering certification for the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The certification program makes it easier for healthcare organizations to report progress to management, business partners, and regulators and verify they have met NIST cybersecurity framework controls.

The NIST Cybersecurity Framework is a set of standards and best practices that help organizations improve security, manage cybersecurity risk, and protect critical infrastructure. Many healthcare organizations have adopted the NIST cybersecurity framework but are unsure how they are doing in the cybersecurity categories.

Through the HITRUST CSF Assurance Program, healthcare organizations can assess whether they have met the requirements in each of the NIST categories.

The HITRUST CSF now includes a scorecard that allows organizations to check how their security program maps to the core subcategories of the NIST Cybersecurity Framework and provides compliance ratings for each core subcategory. HITRUST also provides certification to confirm that organizations are meeting all requirements of the NIST Cybersecurity Framework. If an organization achieves a certain score, certification will be issued against the NIST Cybersecurity Framework.

The Government Accountability Office (GAO) has confirmed that the HITRUST CSF aligns with the NIST Cybersecurity Framework and allows organizations to demonstrate compliance.

NIST has also developed guidance for healthcare organizations to help them implement the various controls detailed in the NIST Framework. The implementation guidance can be used even if organizations choose not to go through the assessment process.

“The HITRUST CSF’s integration and harmonization of multiple industry-relevant statutory, regulatory and best practice requirements into a single, prescriptive, yet highly tailorable framework makes it extremely easy for organizations to determine an appropriate Target Profile and subsequently implement and report their progress towards a cybersecurity program that fulfills the goals and objectives of the NIST Framework”

HITRUST CSF Assurance Program has been adopted by approximately 80% of hospitals and insurance companies. Through a single assessment, healthcare organizations can assess compliance with the HIPAA Security and Privacy Rules, the NIST Cybersecurity Framework, GDPR, ISO 27001, PCI and other leading standards and frameworks.

The post HITRUST Now Offers NIST Cybersecurity Framework Certification appeared first on HIPAA Journal.

OCR Plans to Share HIPAA Violation Settlements with Breach Victims

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 and includes a provision that calls for the Department of Health and Human Services to share a percentage of HIPAA settlements with victims of HIPAA violations and data breaches.

This month has seen some progress in that area. The Department of Health and Human Services’ Office for Civil Rights has announced it is planning on issuing an advance notice of proposed rulemaking in November about sharing a percentage of the fines it collects through its HIPAA enforcement activities with the victims of data breaches.

OCR officials have previously made it clear that steps will be taken to meet the requirements of this HITECH provision, but little progress has been made. This is not the first time that OCR has announced it plans to issue an advance notice of proposed rulemaking on the matter only for the advance notice of proposed rulemaking to be delayed.

If OCR follows through on its plans this fall, feedback will be sought from the public and industry stakeholders on how it can achieve that aim and the methodology that should be employed.

One thing is clear, such a step would certainly be a challenge. How would OCR decide on the percentage of any HIPAA settlement or fine that should be paid to the victims of HIPAA violations and data breaches and how would it be possible to share the money fairly between affected patients?

Should every individual affected by a violation/breach receive an equal share of any settlement or should the amount received be determined by the type of PHI that has been exposed or the level of harm caused? In the case of the latter, how would it be possible to quantify harm and ensure appropriate payments are made?

Settlements to resolve HIPAA violations are not only determined by the number of individuals affected and the severity of the violation. OCR also takes the ability of a covered entity to pay a penalty into account. The amount paid to breach victims of virtually carbon-copy HIPAA violations at different covered entities would likely be vastly different.

The more people impacted by a data breach, the less the share would likely be for affected individuals. For example, New York Presbyterian Hospital settled HIPAA violations with OCR for $2,200,000 in 2016 and MAPFRE Life Insurance Company of Puerto Rico settled its case with OCR for the same amount. The NYPH settlement resolved violations that affected a handful of patients, whereas the MAPFRE breach impacted 2,200 individuals. The relative payments if the percentage was fixed would differ considerably.

Potentially, HIPAA financial penalties could significantly increase if a percentage of funds are given to breach victims to ensure patients get a reasonable payment, especially for HIPAA violations and data breaches where considerable harm has been caused – The unauthorized disclosure of the HIV positive status of a patient for example or breaches where patients’ PHI has clearly been obtained by identity thieves and used for malicious purposes.

The methodology used would have to be very carefully considered to ensure funds are shared fairly. Even if the advance notice of proposed rulemaking is issued in November, it is likely to be some time before a fair methodology is decided and any payments are made.

OCR has also proposed other rules that could see HIPAA Rules modified in the near future. OCR has proposed a change to the HIPAA Privacy Rule provision requiring healthcare providers to obtain acknowledgment from patients of receipt of the notice of privacy practices. Currently healthcare providers are required to make a good faith effort to obtain written acknowledgements from patients, or must explain why acknowledgements have not been obtained. That requirement could well be removed.

Feedback will also be sought from the public on modifications to the HIPAA Privacy Rule to incorporate the accounting of protected health information disclosures of the HITECH Act, which has not yet been implemented due to the perceived cost to healthcare organizations.

OCR also proposes a change to the HIPAA Privacy Rule – Presumption of Good Faith of HealthCare Providers – that would “clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members unless there is evidence that a provider has acted in bad faith.”

The post OCR Plans to Share HIPAA Violation Settlements with Breach Victims appeared first on HIPAA Journal.

Healthcare Data Breach Report: April 2018

April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March.

There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records.

Healthcare Data Breach Trends

For the past four months, the number of healthcare data breaches reported to OCR has increased month over month.

Healthcare data breaches by month

For the third consecutive month, the number of records exposed in healthcare data breaches has increased.

HEalthcare records exposed by month

Causes of Healthcare Data Breaches in April 2018

The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees.

Causes of Healthcare Data Breaches in April 2018

Records exposed by breach type (April 2018)

Largest Healthcare Data Breaches in April 2018

More than half of the healthcare records exposed in April were the result of a single security incident at the California Department of Developmental Services. Thieves broke into California Department of Developmental Services offices, stole electronic equipment, and started a fire. Digital copies of PHI on the stolen equipment were encrypted and were therefore not exposed. Most of the PHI was in physical form and it does not appear any paperwork was taken by the burglars.

While hacking usually results in the highest number of exposed/stolen records, in April the most serious breaches in terms of the number of individuals affected, were unauthorised access/disclosure incidents. In April there were 11 major breaches involving the theft/exposure of more than 10,000 records.

Covered Entity Entity Type Records Exposed Breach Type
CA Department of Developmental Services Health Plan 582,174 Unauthorized Access/Disclosure
Center for Orthopaedic Specialists – Providence Medical Institute (PMI) Healthcare Provider 81,550 Hacking/IT Incident
MedWatch LLC Business Associate 40,621 Unauthorized Access/Disclosure
Inogen, Inc. Healthcare Provider 29,528 Hacking/IT Incident
Capital Digestive Care, Inc. Healthcare Provider 17,639 Unauthorized Access/Disclosure
Iowa Health System d/b/a UnityPoint Health Business Associate 16,429 Hacking/IT Incident
Knoxville Heart Group, Inc. Healthcare Provider 15,995 Hacking/IT Incident
Athens Heart Center, P.C. Healthcare Provider 12,158 Hacking/IT Incident
Fondren Orthopedic Group L.L.P. Healthcare Provider 11,552 Unauthorized Access/Disclosure
Kansas Department for Aging and Disability Services Healthcare Provider 11,000 Unauthorized Access/Disclosure
Carolina Digestive Health Associates, PA Healthcare Provider 10,988 Unauthorized Access/Disclosure

Location of Breached PHI

One of the main causes of healthcare breaches in April was phishing attacks. There were nine data breaches involving the hacking of email accounts in April. The high number of phishing attacks highlights the need for healthcare organizations to invest in technology to prevent malicious emails from being delivered to employees’ inboxes and to improve security awareness of the workforce.

Location of Breached PHI (April 2018)

Data Breaches by Covered Entity

The majority of breaches in April were reported by healthcare providers, followed by health plans and business associates. While five breaches were reported by business associates, there was business associate involvement in at least 11 incidents in April.

Data Breaches by Covered Entity (April 2018)

Healthcare Data Breaches by State

California is the most populated state and often tops the list for healthcare data breaches, although in April Illinois was the worst affected state with 6 reported breaches. California was second worst with 5 breaches, followed by Texas with 3 breaches.

Florida, Iowa, Kansas, Louisiana, Maryland, Minnesota, North Carolina, New Jersey, Virginia, and Wisconsin each has two breaches reported, while Georgia, Kentucky, Montana, Nebraska, New York, Pennsylvania, and Tennessee each had one reported breach in April.

Financial Penalties for HIPAA Covered Entities

The HHS’ Office for Civil Rights has only issued two financial penalties for HIPAA violations so far in 2018, with no cases resolved since February.

There was one HIPAA violation case resolved by a state attorney general in April. Virtua Medical Group agreed to resolve violations of state and HIPAA laws with the New Jersey attorney general’s office for $417,816.

The breach that triggered the investigation exposed the names, diagnoses, and prescription information of 1,654 New Jersey residents. The information was accessible over the Internet as a result of a misconfigured server.

A Division of Consumer Affairs investigation alleged Virtua Medical Group had failed to conduct a thorough risk analysis and did not implement appropriate security measures to reduce risk to a reasonable and acceptable level.

The post Healthcare Data Breach Report: April 2018 appeared first on HIPAA Journal.

Warnings Issued Over Vulnerable Medical Devices

Warnings have been issued by the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) about vulnerabilities in several medical devices manufactured by Silex Technology, GE Healthcare, and Phillips. If the vulnerabilities were to be exploited, an unauthorized individual could potentially take control of the devices.

Phillips Brilliance CT Scanners

In early May, Phillips alerted the National Cybersecurity and Communications Integration Center (NCCIC) about security vulnerabilities affecting its Brilliance CT scanners. Phillips has been working to remediate the vulnerabilities and has been working with DHS to alert users of its devices to help them reduce risk. There have been no reports received to suggest any of the vulnerabilities have been exploited in the wild.

Three vulnerabilities have been discovered to affect the following scanners:

  • Brilliance 64 version 2.6.2 and below
  • Brilliance iCT versions 4.1.6 and below
  • Brillance iCT SP versions 3.2.4 and below
  • Brilliance CT Big Bore 2.3.5 and below

See ICS-CERT advisory (ICSMA-18-123-01)

The Brilliance CT scanners operate user functions within a contained kiosk environment in the Windows OS. The vulnerability – CVE-2018-8853 – could be exploited to allow an unauthorized individual or kiosk application user to gain unauthorized elevated privileges and access to unauthorized resources from the underlying Windows OS.

CVE-2018-8861 is a vulnerability in the Brilliance CT kiosk environment which could be exploited to allow an unauthorized attacker or limited access kiosk user to break out of the containment of the kiosk environment, gain elevated privileges from the underlying Windows OS, and access resources from the operating system.

CVE-2018-8857 is a vulnerability associated with hard-coded credentials used for inbound authentication and outbound communication. Those credentials could be compromised, allowing access to the system to be gained.

CVE-2018-8853 and CVE-2018-8861 both have a CVSS v3 base score of 6.1, while CVE-2018-8857 has a CVSS v3 base score of 8.4.

The vulnerabilities cannot be exploited remotely and require user interaction. According to a statement issued by Phillips, “An attacker would need local access to the kiosk environment of the medical device to be able to implement the exploit.” If exploited, the attacker could execute commands with elevated privileges and gain access to “restricted system resources and information.” The vulnerability would require a low level of skill to exploit.

The vulnerabilities are considered low-risk, but under the company’s responsible disclosure policy, an advisory was issued to alert users to the risk and provide information to reduce risk to a minimal level.

Phillips recommends only using Brilliance CT products within the specifications authorized by Phillips, such as only using Phillips-approved software, system services, and security configurations. Physical controls should also be implemented to limit access to the devices.

Phillips has taken action by remediating hard-coded credentials for its Brilliance iCT 4.x system and later versions and will continue to assess further options for remediating the vulnerabilities.

Silex SX-500, SD-320AN Wireless and GE Healthcare MobileLink

Two vulnerabilities have been discovered to affect certain Silex Technology products and GE Healthcare MobileLink technology. The vulnerabilities, tracked as CVE-2018-6020 and CVE-2018-6021, have been assigned a CVSS v3 rating of 6.5 and 7.4 respectively. See ICS-CERT advisory (ICSMA-18-128-01)

The following products are susceptible to one or both of the vulnerabilities:

GEH-500 (V 1.54 and earlier), SX-500 (all versions), GEH-SD-320AN (V GEH-1.1 and earlier), and SD-320AN (V 2.01 and earlier). The following GE MAC Resting ECG analysis systems may use vulnerable MobileLink Technology: MAC 3500, MAC 5000 (E.O.L 2012), MAC 5500 and MAC 5500 HD.

The vulnerabilities would require a low level of skill to exploit and could allow an unauthorized individual to modify system settings and remotely execute code. ICS-CERT notes that public exploits for the vulnerabilities are available.

CVE-2018-6020 concerns a lack of verification of authentication when making certain POST requests, which could allow the modification of system settings. CVE-2018-6021 concerns an improperly sanitized system call parameter, which could allow remote code execution.

The following recommendations have been made by Silex/GE Healthcare:

To mitigate CVE-2018-6020 on GE MobileLink/SX-500, users should enable ‘update’ account within the web interface, as this is not enabled by default.  To prevent changes to device configuration, users should set a secondary password for the ‘update’ account.

Silex Technology and GE Healthcare have produced updated firmware to resolve the CVE-2018-6021 vulnerability for GE MobileLink/GEH-SD-320AN, which will be available for download from May 31, 2018 once testing has been completed.

NCCIS suggests users should minimize network exposure for control system devices and/or systems to ensure they cannot be accessed over the Internet. All controls systems and remote devices should be located behind firewalls and isolated from business networks. If remote access is required, a VPN should be used.

NCCIC has advised users to conduct an impact analysis and risk assessment prior to any attempt to mitigate the vulnerabilities.

The post Warnings Issued Over Vulnerable Medical Devices appeared first on HIPAA Journal.

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised.

Recent Email Hacking and Phishing Attacks on Healthcare Organizations

HIPAA-Covered Entity Records Exposed
Inogen Inc. 29,529
Knoxville Heart Group 15,995
USACS Management Group Ltd 15,552
UnityPoint Health 16,429
Texas Health Physicians Group 3,808
Scenic Bluffs Health Center 2,889
ATI Holdings LLC 1,776
Worldwide Insurance Services 1,692
Billings Clinic 949
Diagnostic Radiology & Imaging, LLC 800
The Oregon Clinic Undisclosed

 

So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in January, ATI Holdings, LLC experienced a breach in March that resulted in the exposure of 35,136 records, and the largest email hacking incident of the year affected Onco360/CareMed Specialty Pharmacy and impacted 53,173 patients.

Wombat Security’s 2018 State of the Phish Report revealed three quarters of organizations experienced phishing attacks in 2017 and 53% experienced a targeted attack. The Verizon 2017 Data Breach Investigations Report, released in May, revealed 43% of data breaches involved phishing, and a 2017 survey conducted by HIMSS Analytics on behalf of Mimecast revealed 78% of U.S healthcare providers have experienced a successful email-related cyberattack.

How Healthcare Organizations Can Improve Phishing Defenses

Phishing targets the weakest link in an organization: Employees. It therefore stands to reason that one of the best defenses against phishing is improving security awareness of employees and training the workforce how to recognize phishing attempts.

Security awareness training is a requirement under HIPAA (45 C.F.R. § 164.308(a)(5)(i)). All members of the workforce, including management, must be trained on security threats and the risk they pose to the organization.

“An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them,” suggested OCR in its July 2017 cybersecurity newsletter.

HIPAA does not specify how frequently security awareness training should be provided, although ongoing programs including a range of training methods should be considered. OCR indicates many healthcare organizations have opted for bi-annual training accompanied by monthly security updates and newsletters, although more frequent training sessions may be appropriate depending on the level of risk faced by an organization.

A combination of classroom-based sessions, CBT training, newsletters, email alerts, posters, team discussions, quizzes, and other training techniques can help an organization develop a security culture and greatly reduce susceptibility to phishing attacks.

The threat landscape is constantly changing. To keep abreast of new threats and scams, healthcare organizations should consider signing up with threat intelligence services. Alerts about new techniques that are being used to distribute malicious software and the latest social engineering ploys and phishing scams can be communicated to employees to raise awareness of new threats.

In addition to training, technological safeguards should be implemented to reduce risk. Advance antivirus solutions and anti-malware defences should be deployed to detect the installation of malicious software, while intrusion detection systems can be used to rapidly identify suspicious network activity.

Email security solutions such as spam filters should be used to limit the number of potentially malicious emails that are delivered to end users’ inboxes. Solutions should analyze inbound email attachments using multiple AV engines, and be configured to quarantine emails containing potentially harmful file types.

Embedded URLs should be checked at the point when a user clicks. Attempts to access known malicious websites should be blocked and an analysis of unknown URLs should be performed before access to a webpage is permitted.

Phishing is highly profitable, attacks are often successful, and it remains one of the easiest ways to gain a foothold in a network and gain access to PHI. As such, phishing will remain one of the biggest threats to the confidentiality, integrity, and availability of PHI. It is up to healthcare organizations to make it as difficult as possible for the attacks to succeed.

The post Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed appeared first on HIPAA Journal.